Quantum Cryptography Based on Orthogonal States 

Lior Goldenberg and Lev Vaidman 



School of Physics and Astronomy 
Raymond and Beverly Sackler Faculty of Exact Sciences 
Tel Aviv University, Tel-Aviv 69978, Israel. 



Abstract 

All existing quantum cryptosystems use non-orthogonal states as the carriers of 
information. Non-orthogonal states cannot be cloned (duplicated) by an eavesdrop- 
per. In result, any eavesdropping attempt must introduce errors in the transmission, 
and therefore, can be detected by the legal users of the communication channel. Or- 
thogonal states are not used in quantum cryptography, since they can be faithfully 
cloned without altering the transmitted data. In this Letter we present a crypto- 
graphic scheme based on orthogonal states, which also assures the detection of any 
eavesdropper. 
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A basic task in cryptography is exchanging a secret message between two users, tradi- 
tionally called Alice and Bob, in a way that no other party can read it. The only known 
method to do this in a proven secure way is to use a 'one-time pad', which uses a pre- 
viously shared secret information called a key. The key, a sequence of random bits, is 
used for encrypting the message. The encrypted message is completely confidential, even 
if transmitted via a public communication channel. Thus, the security of any key-based 
cryptographic method depends ultimately on the secrecy of the key. All existing classi- 
cal key-distribution cryptosystems are not proven to be secure; their secrecy is based on 
computational complexity assumptions which sometimes turn out to be false. In partic- 
ular, some existing cryptosystems can be broken (in principle) due to new developments 
|1J in quantum computation. On the other hand, the secrecy of quantum cryptosystems 
is guaranteed by the fundamental laws of quantum mechanics. Any intervention of an 
eavesdropper, Eve, must leave some trace which can be detected by the legal users of the 
communication channel. 

In the last years many quantum cryptosystems were suggested. All these schemes use 
non-orthogonal states to encode the information. The first key-distribution scheme was 
presented by Bennett-Brassard in 1984 (a variation of it was already tested experi- 
mentally ||). In this scheme Alice transmits single photons polarized along one of four 
possible directions, J, <->•, f or \. The first two are orthogonal in one basis and the 
other two are orthogonal in another basis. The encoding is as follows: Alice chooses, at 
random, one of the four states and sends it to Bob. It is agreed that the states <-> and 
\ stand for bit value 0, and the states \ and f stand for bit value 1. Bob chooses, 
also at random, a basis, © or <g>, and measures the polarization in that basis. If Alice 
and Bob choose the same basis, their results should be identical. If they choose different 
bases, their results are not correlated. By discussing over an insecure classical channel 
(which cannot be modified by an eavesdropper), Alice and Bob agree to discard all the 
cases where different bases were used (about half of the bits). The result should be two 
perfectly correlated strings, unless the transmission was disturbed. Any eavesdropping 
attempt must introduce errors in the transmission, since Eve does not know the polariza- 
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tion of each photon. Whenever Alice and Bob measure in one basis and Eve in the other 
basis, the correlation of the strings is destroyed. 

The encoding in quantum cryptography was based on non-orthogonal states since they 
cannot be cloned (duplicated) by an eavesdropper. Even an imperfect cloning attempt 
(intended to gain partial information) induces errors in the transmission, therefore it is 
detectable. In general, any two non-orthogonal states can be used for quantum cryptog- 
raphy, as shown by Bennett ||]. On the other hand, orthogonal states can be faithfully 
cloned, so that Eve can copy the data without being noticed. For these reasons it is gen- 
erally believed that the use of non-orthogonal states is crucial in quantum cryptography. 
In this Letter we present a new quantum cryptosystem, in which data exchange between 
Alice and Bob is done using two orthogonal states, and yet, any eavesdropping attempt 
is detectable. 

The security of our scheme is based on two novel ingredients. First, the orthogonal 
states sent by Alice are superpositions of two localized wavepackets. The wavepackets are 
not sent simultaneously towards Bob, but one of them is delayed for a fixed time and sent 
after the other. Second, the transmission time of each particle is random (and therefore, 
unknown to Eve). The tests performed by the users at the end of the communication 
allows the detection of an eavesdropper. 

Let | a) and \b) be two localized wavepackets, which are sent from Alice to Bob along 
two separated channels. We shall take two orthogonal states |\&o) an d |^i)> linear com- 
binations of | a) and \b), to represent bit value '0' and bit value '1', respectively: 



Alice sends to Bob either j^o) or The two localized wavepackets, \a) and \b), are not 
sent together, but wavepacket \b) is delayed for some time r. For simplicity, we choose 
r to be larger than the traveling time of the particles from Alice to Bob, 9. Thus, \b) 
starts traveling towards Bob only when \a) already has reached Bob, such that the two 
wavepackets are never found together in the transmission channels. 



1/V2(|a> + |&», 



(1) 




(2) 
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In order to explain the idea behind the protocol, we shall consider a particular imple- 
mentation of our scheme (the discussion assumes a noise-free transmission). The setup 
(Fig. [I]) consists of a Mach-Zehnder interferometer with two storage rings, SRi and SR2, 
of equal time delays. Alice can transmit a bit by sending a single particle either from the 
source So (sending '0') or from the source S\ (sending '1'). The sending time t s is random, 
and it is registered by Alice for later use. The particle passes through the first beam- 
splitter BSi and evolves into a superposition of two localized wavepackets: \a), moving 
in the upper channel and \b), moving in the bottom channel. The particle coming from 
Sq evolves into \^q) and the particle coming from S\ evolves into l^i). The wavepacket 
I b) is delayed in the storage ring SRi while \a) is moving in the upper channel. When \a) 
arrives to the storage ring SR2 at Bob's site, wavepacket \b) starts moving on the bottom 
channel towards Bob. During the flight-time of \b), wavepacket \a) is delayed in S7? 2 . 
Finally, the two wavepackets arrive simultaneously to the second beam-splitter BS2 and 
interfere. A particle started in the state \^>q) emerges at the detector D , and a particle 
started in the state emerges at the detector D%. Bob, detecting the arriving particle, 
receives the bit sent by Alice: Dq activated means '0' and D\ activated means '1'. In 
addition he registers the receiving time of the particle t r . 

Alice and Bob perform two tests (using a classical channel) in order to detect possible 
eavesdropping. First, they compare the sending time t s with the receiving time t r for each 
particle. Since the traveling time is 9 and the delay time is r, there must be t r = t s + r + 9. 
Second, they look for changes in the data by comparing a portion of the transmitted bits 
with the same portion of the received bits. If, for any checked bit, the timing is not 
respected or anti-correlated bits are found, the users learn about the intervention of Eve. 

We will show that Eve, which has access to the channels but not to the sites of Alice 
and Bob, cannot extract any information without introducing detectable distortions in 
the transmission. The data is encoded in the relative phase between the two wavepackets 
I a) and \b). Therefore, the phase must be the same at t s and at t r . In addition, the two 
wavepackets must arrive together to BS2 at the correct time, otherwise a timing problem 
occurs. Any operation performed by Eve must obey these two requirements, or she will 
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be exposed by the legal users. 

Let us consider two times, t% and t 2 . At t± the particle just left BS\, so it is solely 
at Alice's site. At t 2 the particle is just before passing through BS 2 at Bob's site. If the 
particle is emitted from So, then at t\ its state is |\l/o(^i)) — 1/V2 (\a(ti)) + \b(ti))). If the 
particle is emitted from S*i, then at ti its state is I = l/\/2 (\a(ti)) — \b(ti))). Incase 

that nothing disturbs the transmission (i.e. Eve is not present), the free time-evolution is 

|¥ (fi)> — |^o(t 2 )) = l/v/2 (|a(t 2 )> + |6(t 2 )», (3) 
— \* 1 (t 2 )) = l/V2(\a(t 2 ))-\b(t 2 ))). (4) 

When Eve is present and she is trying to extract some information without being detected, 
the time-evolution must be such that |$o(^i)) evolves to 1^0(^2)) and evolves to 

I (^2 ) ) (if not, Bob will have a non-zero probability to receive inverted bits or to receive 
particles at incorrect times). Thus, the general form of the evolution from time t\ to time 
t 2 must be: 

|*o(*i)> m x )) — |*o(t 2 )> |$o(t 2 )>, (5) 
|*i(ti))|$(ti)) — > l*i(*2)) (6) 

where | <£(£)) is the state of some auxiliary system used by Eve for extracting information. 
If I $0(^2)) — 1^1(^2)), no extraction of information is possible. 

In protocols which use non-orthogonal quantum states for encryption, the time-evolution 
under eavesdropping must have the same form as eqs.(|5|) and (||. The security of these 
protocols, i.e. \&o(t 2 )) = l^ifo)), can be proven using the unitarity of quantum theory. 
When Eve is not present, from the free evolution (eqs.@ and (|])) we get (\l/i(ti)|\l/o(^i)) = 
(^i(t 2 )\^ (t 2 )). When Eve is present, from eqs.(|) and (|) we get (^i(ti)|^ (*i)) = 
{^i(t 2 )\^ (t 2 )) (^1(^2) 1^*0(^2))- Combining these two results we find \&o(t 2 )) = |$i(t 2 ))- 
With orthogonal states, however, this proof fails, since (^/i(ti)|^/ (^i)) = 0. For this 
reason one might believe that quantum cryptography cannot rely on orthogonal states. 

We shall prove now that our protocol is secure. Using the linearity of quantum theory, 
we consider the evolution of a particular superposition of | "^o (^1 ) ) an d \^i(ti)). Consider 
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at time t x a particle in the state \b(ti)) = 1/V2 (|\& (t 1 )) — |^i(ti))). The time-evolution 
of \b(ti)) \$(ti)) is obtained from eqs.(|5]) and (||) (using also eqs.(^) and (Q)): 

|&(fi))|<&(fi)> — 1/2 [|a(t a )> (\$ (h))-\Mh))) + \Kh)) (|$ (t a )>+|$i(t a )>)]. (7) 

The last equation shows that, unless |$o(^2)) = l^i^)), there is a non-zero probability 
to find the particle in the final state ja^))- This, however, is impossible. A particle in 
the state (0(^2)) is a particle which just emerged from the storage ring SR2 (there is no 
other possibility). Since the delay time is r, at an earlier time than t = t 2 — t the particle 
had to enter in Bob's site. At that time, a particle which started in the state \b(ti)), as 
in eq.(^), is still captured in SR± at Alice's site. Such a particle enters in the bottom 
channel after time t, and then it is too late for Eve to send a dummy particle on the 
upper channel. She cannot send that particle at the correct time since she does not know 
it until the original wavepacket arrives. Thus, the state (0(^2)) should not appear in the 
right-hand side of eq.(0), and therefore, ($0(^2)) = l^ife))- This ends the proof. 

We want to emphasize that the sending time cannot be publicly known, otherwise 
Eve could apply the following strategy: Using a replica of Alice's setup, she sends to 
Bob (at the correct time) a wavepacket \b) of a dummy particle, while waiting for Alice's 
particle. Using a replica of Bob's setup, she measures the later. Depending on the result 
of the measurement, she places a phase-shifter in front of the delayed wavepacket \a) of 
the dummy particle, in order to adjust the final interference. In this way Eve can extract 
the complete information without being exposed. 

Since r > 6, Eve has no access to \a) and to \b) together at any time. This seems to be 
a necessary requirement for a secure protocol, but it is not. If the communication is based 
on particles moving at the speed of light, it is enough to demand t > At, where At is 
the accuracy of the time measurements of t s and t r (assuming very narrow wavepackets) . 
The security in this case is proven in the same way: the state (0(^2)) should not appear in 
eq. (]?]), since Eve gets wavepacket \b) too late for sending a dummy particle on the upper 
channel. Moreover, if we arrange a large distance between the two transmission channels 
(which requires large secure users' sites), we can use our procedure even without time 
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delay. Any attempt of Eve to recombine the wavepackets in order to measure the phase, 
introduces an extra flight-time which will be detected by the users. However, now the 
security requires that Eve cannot use faster-than-light particles for eavesdropping. Thus, 
these versions of the protocol exceed the limits of non-relativistic quantum mechanics; 
they might be classified as "quantum-relativistic protocols" with orthogonal states. 

In the previous discussion we have assumed ideal transmission conditions. In practice, 
any communication system is restricted by the limited efficiency of its components. The 
transmission is distorted by the noise of the channel, the losses and dark counts of the 
detectors, etc. Since errors from different sources are not necessarily distinguishable, 
Eve may obtain some information without being detected, as long as the amount of 
errors she introduces does not exceed the noise. Known methods of error correction and 
privacy amplification techniques can be included in a practical version of our protocol. 
The problems caused by losses and dark counts are automatically solved, due to the 
comparison between t s and t r . 

We shall raise some ideas related to the realization of our protocol in the laboratory. 
The first essential ingredient, random emission time, can be achieved very naturally using 
down-conversion crystal source of pairs of photons. In this way, the sending time of the 
photon is registered with very high efficiency and precision by a detector of the "idler" 
photon. The second ingredient, the time delay, can be achieved using an optical fiber loop. 
Probably, the most difficult part of the proposal is to have a Mach-Zehnder interferometer 
with a stable phase difference between its two (very long) arms. This problem can be 
avoided using one arm (an optical fiber) and two orthogonal polarizations as two quantum 
channels. In this setup wavepacket \b) leaves Alice's site when it is spatially delayed 
relative to wavepacket \a), and with a different polarization. In Bob's site, wavepacket \a) 
is delayed and its polarization direction is rotated, such that the two wavepackets finally 
interfere correctly. 

Since there are some difficulties in an experiment with two polarization channels, a 
better way is sending the states with the same polarization, i.e. using a single channel. 
A modification of the setup in Fig. p] allows the transmission of the wavepackets with the 
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same polarization, but for the price of wasting a part of the photons ||. A mirror and a 
beam-splitter added to Alice's site (after SR±) can partially recombine the two channels 
into a single one. Similar beam-splitter and mirror added to Bob's site (before SR2) can 
recover the two channels. As before, the users consider only photons which respect the 
timing requirement, but now a part of the sent photons are lost even if Eve is not present. 
Half of the photons are lost at Alice's site since they do not enter into the channel, and half 
of those which arrive to Bob's site are lost since they are detected at incorrect times. Thus, 
only 25% of the photons are usable, but this is good enough for key-distribution. The 
phase can be preserved more efficiently on a single channel, therefore this method might 
be practical for long-range transmission. One may be tempted to improve this proposal 
by introducing a setup which allows Bob to measure correctly all the transmitted photons. 
This can be done for the price of introducing uncertainty in the correlations between the 
sending and the receiving time of each photon, but then the method is not appropriate for 
our purpose (since Eve has time to get the signal and to resend it without being detected). 

An advantage of using orthogonal states over non-orthogonal states is also related 
to the possibility of transmitting signals at long distances: orthogonal states can be 
'enhanced' in intermediate stations, as classical signals are. Measuring a signal many times 
on the way decreases dramatically the amount of expected errors, due to the 'quantum 
Zeno effect'. The stations, however, have to be secure as the sites of Alice and Bob are. 

Another advantage of our protocol (with two channels) over some other protocols (for 
example 0) is that the bits are not random, but chosen by Alice, and that all the sent 
bits can be used. Therefore, the protocol is not restricted to key-distribution only - it can 
be used for sending the message directly 0. Of course, Eve can read the message, but in 
an error-free channel she will be detected in time if Alice and Bob test the transmission 
frequently enough. The direct message transmission is possible not only on an error-free 
channel f5j. In a practical case (when noise is present), Alice and Bob agree in advance on 
the tolerable error rate and on the degrees of accuracy and secrecy they want to achieve. 
In order to transmit a message of some length n, Alice builds a longer string: some extra 
bits are used for estimating the error rate (hence, the maximal information leaked to Eve) 
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and some for redundancy, which is used - via block-coding - to derive the n-bits message. 
The reliability of the n-bits message is assured by Shannon's channel coding theorem, 
(see ||). At the end of the transmission, Alice tells Bob which bits were used for error 
estimation, and afterwards, the function used for block-coding. If Bob, estimating the 
error rate, detects Eve, he prevents publishing the block-coding function by informing 
Alice. Thus, the message is transmitted with an exponentially small probability of errors 
and exponentially small information leakage. 

Let us conclude with a discussion of the title of our work. Strictly speaking, the set of 
all possible states sent by Alice is not a set of orthogonal states. Two states corresponding 
to identical bits, sent at two very close times, are not orthogonal. However, if the width of 
the wavepackets \a) and \b) is small enough, then the measure of mutual non-orthogonality 
is negligible. Moreover, we can replace the random sending times by random discreet 
sending times, and then, all the possible sent states will be mutually orthogonal. The 
previous proof assures the security of this procedure too. Note also, that in our basic 
method (with two channels) all the states corresponding to different bits are mutually 
orthogonal, and this is the relevant feature. Indeed, the issue of mutual orthogonality 
of just these states is essential for the security proof of protocols using non-orthogonal 
states. 

The authors thank Tal Mor, Sandu Popescu, David DiVincenzo and Bruno Huttner 
for valuable comments. 
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Figures Caption 



Figure 1: Cryptographic scheme based on a Mach-Zehnder interferometer. The device 
consists of two particle sources So an d 5*1, a beam-splitter BS±, two mirrors, two storage 
rings SRi and SR 2 , a beam-splitter BS 2 and two detectors D and D\. The device is 
tuned in such a way that, if no eavesdropper is present, a particle emitted by So (Si) is 
finally detected by D (Di). 
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